North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Published on September 17, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

A new wave of attacks orchestrated by North Korean threat actors targeting professionals on LinkedIn who use cryptocurrency was observed by cybersecurity experts Jamf Threat Labs in a recent advisory. The hackers were seen employing a relatively new malware named RustDoor.

The attackers, masquerading as recruiters from legitimate decentralized cryptocurrency exchanges like STON.fi, engage potential victims through LinkedIn. Their strategy is to lure individuals into what appears to be genuine job offers or coding assignments. 

This multi-layered campaign highlights the adversaries' intricate social engineering techniques, designed to infiltrate enterprise networks under the guise of professional opportunities.

RustDoor, a formidable macOS backdoor that disguises itself as an update for Microsoft Visual Studio and permits unauthorized access to sensitive data and critical systems, is delivered via booby-trapped Visual Studio projects, pretending to be coding challenges. 

LinkedIn Malware Campaign
Image Source: Jamf Threat Labs

Upon execution, these projects deploy multiple payloads, namely "VisualStudioHelper" and "zsh_env," which maintain persistence by embedding themselves into system configurations. 

Notably, the malware remains undetected by most anti-malware engines, complicating the detection process for targeted organizations.

Among the key indicators of compromise in these attacks are requests to execute unfamiliar code or download applications onto company devices. Such actions, masked as 'pre-employment tests' or debugging exercises, are critical red flags. 

Additionally, attackers may seek to execute non-standard packages or scripts from repositories like Node.js and GitHub.

This attack is part of a larger series of attacks on LinkedIn. Threat actors affiliated with North Korea have been seen deploying the COVERTCATCH malware through deceptive job recruitment schemes, targeting developers in decentralized finance (DeFi) and the wider Web3 sector.

The U.S. Federal Bureau of Investigation (FBI) has highlighted the sophistication of these campaigns, emphasizing the need for heightened vigilance among decentralized finance (DeFi) and cryptocurrency businesses.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: